IAM-07: User Access Changes and Revocation

CSF v1.1 References:

PF v1.0 References:

Previous Version:

Control Statement

De-provision or respectively modify access of movers / leavers or system identity changes in a timely manner in order to effectively adopt and communicate identity and access management policies.

Implementation Guidance

Deprovisioning should automatically remove associated authorizations. For systems not integrated into automated processes, deprovisioning processes should be manually carried out by system owners. De-provisions to customer data should be made known to cloud customers where applicable.

Auditing Guidance

  1. Determine if a process is established for removing logical access when users leave the organization or when access is no longer appropriate.
  2. Determine if a timeframe for access removal and access modification is defined.
  3. Verify that a process is established for removing existing system access and assigning appropriate access or for modifying existing access after internal transfer or change of job functions.
  4. Determine if established processes for access removal and modification, within the defined time frame, are followed in practice.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.